New Java Security Flaw Uncovered After Mega-Patch

Java is starting to look like a chubby guy in tight Dockers who can't sit down without splitting a seam (and yes, I analogize from experience). A week after Oracle released Java 7, Update 21, which included 42 vulnerability patches, news of a reflection API vulnerability in the newly shipped Java Runtime Environment (JRE) has emerged, as reported by veteran Java bug hunter Adam Gowdiak.

Gowdiak is CEO and founder of Security Explorations, a Poland-based security and vulnerability research company. He wrote about the security flaw on the "Full Disclosure" mailing list, a "lightly moderated high-traffic forum for disclosure of security information." (It's a great list whose contributors display a sense of humor in the face of some serious issues.)

The Java Reflection API is used to examine and modify the behavior of applications running in a Java Virtual Machine (JVM). The reflection API vulnerability affects all versions of Java SE 7, including Update 21, Gowdiak said, and can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a Web browser would require "proper user interaction," he wrote -- in other words, the user has to click "yes" to allow a malicious app to execute even when a security warning window is displayed.

Gowdiak's post comes on the heels of Oracle's recent announcement that delays in the release of Java 8 are the result of the company shifting significant material resources to work on Java security vulnerabilities.

In January, Oracle's senior product security manager, Milton Smith, told Java User Group (JUG) leaders during a conference call that the company's chief area of concern was Java plugins running applets on the browser. ""A lot of the attacks that we've seen, and the security fixes that apply to them, have been [about] Java in the browser," he said. "It's the biggest target now."

And yet Gowdiak said the new issue he found is present not only in the JRE Plugin/JDK software, but also the Server JRE. He says he sent a report to Oracle "signaling multiple security problems in Java SE 7 and the Reflection API in particular," along with proof-of-concept code, in Apr 2012.

"It's been a year since then and to our true surprise," we were still able to discover one of the simplest and most powerful instances of Java Reflection API based vulnerabilities," he wrote. "It looks [as though] Oracle was primarily focused on hunting down potentially dangerous Reflection API calls in the 'allowed' classes space. If so, no surprise that Issue 61 was overlooked."

Posted by John K. Waters on 04/24/2013 at 10:53 AM2 comments

Hortonworks, Mirantis and Red Hat Partner on Project Savanna

Two of the biggest players in the OpenStack community and a top Hadoop provider announced plans yesterday to join forces to advance the "Hadoop on OpenStack" project known as Savanna. OpenStack systems integrator Mirantis Inc., the company that started Project Savanna, will be working with Hortonworks Inc., the top commercial distributor of Apache Hadoop, and Red Hat Inc., the current leading OpenStack contributor, the three companies said today.

"We're rallying around this notion of Apache Hadoop as the killer application for OpenStack," Shaun Connolly, Hortonworks VP of corporate strategy, told "Hadoop is clearly an important technology in the big data space, and it stands to benefit from being deployed on a cloud platform."

Also known as "Elastic Hadoop on OpenStack," Project Savanna aims to provide a means to easily provision and manage Hadoop clusters on the OpenStack cloud infrastructure. Hadoop, which started as an implementation of the MapReduce paradigm, has evolved into a platform for distributed computing with a growing number of projects built on top of it. The Savanna project specifies Hadoop parameters, such as version, cluster topology and nodes hardware details.

"You can view Savanna as that elastic cloud controller that will make it easy to deploy and spin up Hadoop clusters on demand within an OpenStack cloud," Connolly said.

The collaboration will provide an integration point for third-party Hadoop provisioning and management frameworks, the companies said. One example they point to is the open source Apache Ambari project, which provides an intuitive Hadoop management Web UI backed by its RESTful APIs. The companies say they will have a demonstration of this technology ready for the upcoming Hadoop Summit, scheduled for June in San Jose, Calif.

"We are bringing engineers to bear on this project," Connolly emphasized. "This is not a marketing relationship. It's about real engineers writing real code within a community-driven foundation project."

Mountain View, Calif.-based Mirantis, which specializes in building OpenStack-based, open source cloud platforms, originated Project Savanna, and just recently contributed the source code to the OpenStack community. The project grew out of the "megatrend" of big data initiatives, said company President and CEO Adrian Ionel, and a recognition of a growing demand among its customers for an integrated solution.

"They wanted a unified infrastructure that gives them a more flexible approach to providing resources to applications when they need them, instead of managing separate clusters throughout the enterprise," Ionel said. "We saw a great opportunity to take Apache Hadoop and OpenStack and blend them together to make Hadoop an elastic component on top of OpenStack, which would provide a drastically improved experience in terms of being able to spin up a Hadoop cluster within OpenStack on demand, and then manage it from there and integrate it with other workloads in the enterprise."

Currently in its seventh release (code-named "Grizzly"), OpenStack is made up of several interrelated projects focused on delivering various components for a cloud infrastructure solution. As the community Web site describes it, the project aims to deliver "solutions for all types of clouds by being simple to implement, massively scalable, and feature-rich." More than 180 companies participate in the OpenStack project, including Advanced Micro Devices Inc., Cisco Systems Inc., Citrix Systems Inc., Dell Inc., Hewlett-Packard Co., Intel Corp. and Microsoft.

The three companies made the announcement at the OpenStack Design Summit, which is underway this week in Portland, Ore.

Posted by John K. Waters on 04/17/2013 at 10:53 AM0 comments

Atlassian Announces Confluence 'Blueprints'

Collaboration and development tool maker Atlassian has created a set of page-creation templates, dubbed "Blueprints," designed to simplify the way users of its Confluence content and team collaboration platform create and share their work. Blueprints also provide instructional "placeholder" text and an automated structure for organizing content once it has been created.

Blueprints are aimed at so-called non-technical users (HR teams, sales and marketing, product management, etc.), which the company says account for a growing segment of the population of Confluence users. Atlassian recently released Confluence 5.0, which company co-founder and CEO Mike Cannon-Brookes described in a blog as "Probably the biggest interface overhaul we've ever done in Atlassian's history."

The company is releasing three Confluence Blueprints initially; all three are built into the Confluence environment. They include: Meeting Notes Blueprint, which is provides easy-to-create, formatted meeting pages for tracking people, agendas and notes; File List Blueprint, which allows teams to share and access files in one place that is easily searchable, versioned, and permission-controlled; and Requirements Blueprint, which helps teams to "more easily define, discuss, and organize product requirements" with automatic update versioning, facilitation of discussions, and allowing the use of custom properties for tracking and reporting.

Darryl Duke, founder of StepStone Technologies, was one of the expert partners working with Atlassian on the Blueprint project. StepStone focuses on Confluence almost exclusively, offering a product called Zen Foundation, which is designed to make Confluence simple for non-technical users.

"We think of Confluence, not so much as a tool that helps teams to build great software, but as a tool that helps them to build relevant software," Duke told ADTmag. "It solves the core communication problem faced by any collaboration tool user, and provides a great way to structure the creation of content." 

Duke described Confluence Blueprints as "uber-templates with functionality built in" that allows many different people within an organization to collaborate, from the software development teams to those in the "outer circle," such as the HR department and the legal. "It gives you a much broader ability to collaborate across disciplines within the company," he said. 

Atlassian is an Australian collaboration and development tool maker best known for its JIRA bug tracker and its Confluence collaboration tool. It also makes Stash, an on-premise distributed version control systems (DVCSs) for enterprise teams, and Bitbucket, a cloud-based DVCS hosting service. The company released to beta a new version of its SourceTree desktop client for the Git and Mercurial DVCSs in March.

The first three Atlassian Blueprints are being released into the Atlassian Marketplace, which is embedded within Confluence. Four Atlassian Marketplace vendors have partnered with the company to build their own Blueprints, which are also available for download. They include: strategy canvases by Comalatech for managing tasks and visualizing business processes; online diagrams by Gliffy for building professional-quality flow and organizational charts; polls by Simplenia for creating and sharing simple polls to make group decisions; and Evernote Importer by StiltSoft to bring notes into Confluence for sharing.

Posted by John K. Waters on 04/10/2013 at 10:53 AM0 comments

Java PaaS Provider Jelastic Adds TomEE Support

Java-based Platform as a Service (PaaS) provider Jelastic Inc. has added the Apache TomEE application server to the list of software stacks supported on its platform. Jelastic is the first public PaaS to offer TomEE support.

TomEE (pronounced "Tommy") is a version of Apache Tomcat aimed at the Java Enterprise Edition (JavaEE) Web Profile, a subset of Java EE APIs focused on Web app development. The Apache Software Foundation (ASF) released TomEE as a Java EE 6 Web Profile certified stack last summer. Available under the Apache 2.0 license, it integrates a number of Java projects, including Apache OpenWebBeans, Apache MyFaces, Apache ActiveMQ, Apache CXF and Apache OpenJPA. Version 1.5.1 was released in December 2012.

Support for function-based profiles was one of the most talked about capabilities of Java EE 6. The Web Profile was the first profile defined by the Java Community Process (JCP) expert group, and support for TomEE was among the top requests among Jelastic users, said company COO Dmitry Sotnikov. "TomEE is a natural fit for any cloud platform that offers Tomcat, as it offers Java EE compliance, but with the footprint and startup time of Tomcat," Sotnikov said in a statement.

"In Java EE 5 and previous versions, in order to achieve certification, you had to implement the full set of Java EE APIs," explained Gartner Inc. analyst Massimo Pezzini in an earlier interview. "And there are a ton of those. This is the reason there aren't that many products that are Java EE certified. Basically, it's only the big vendors—JBoss, Oracle WebLogic, IBM WebSphere—who can really afford to put together a Java EE-compliant product. But with profiles, you can define a subset of the Java EE APIs and achieve certification only for that particular subset."

Jelastic is a Java and PHP cloud hosting platform designed for hosted services providers. It runs any Java application in the cloud, the company says, without code or language changes, and without the need to write for specific APIs. It supports any JVM-based application, including apps developed with Java 6, Java 7, JRuby, Scala and Groovy. The Jelastic platform supports three SQL databases: MariaDB, MySQL and PostgreSQL. It also provides non-SQL database support for MongoDB and CouchDB. Along with the newly added TomEE, its list of supported app servers includes Tomcat (6 and 7), GlassFish and Jetty. Jelastic provides its users with developer tools through plug-ins for such build systems as Maven, Ant, Hudson and Jenkins.

Palo Alto, Calif.-based Jelastic was founded in 2010 by Hivetext, a Zhytomyr, Ukraine-based startup focused on Java application development in the cloud. Ruslan Synytsky, founder and CEO of Jelastic, has said that his company's flagship platform is the first Java PaaS to provide "full application compatibility and developer control," and "the only choice for Java developers" who want to avoid lock-in.

Jelastic is hosted in the United States with ServInt; in Russia with Rusonyx; in Germany with dogado; in the United Kingdom and Ireland with Layershift; in Japan with Tsukaeru; in Brazil with Websolute; in Sweden with Elastx; and in Finland with Planeetta.

More information about the Jelastic PaaS is available on the company's Web site. More information about Apache TomEE is available on the TomEE download page.

Posted by John K. Waters on 03/13/2013 at 10:53 AM0 comments

Red Hat Takes OpenJDK 6 Leadership Role

Red Hat developer Andrew Haley will assume the role of project lead for OpenJDK 6, the company announced last week, letting Red Hat "continue to help drive the future of Java and of OpenJDK."

Haley is a long-time Java technical lead and member of the OpenJDK governing board.

This announcement isn't headline-grabbing, but this "transition into a leadership role" underscores Red Hat's commitment to Java."We think that Java will continue to be a strong option for developers for a long time to come," Rob Cardwell, vice president of middleware strategy at Red Hat, told ADTmag. "What we're doing with OpenJDK 6 is continuing a trend we started years ago with IcedTea Project."

Red Hat has been involved in the OpenJDK since 2007, when it signed Sun Microsystems' OpenJDK Community TCK License Agreement. The TCK (Technology Compatibility Kit) is the official test suite for compliance of implementations of Java Specification Requests (JSRs); they can only be provided by the spec lead of a JSR. Red Hat was the first big software vendor to license the TCK.

The IcedTea Project Cardwell referred to was a build and integration project Red Hat launched in 2007. Its aim was to make it possible to add OpenJDK to Fedora and other Linux distributions that require free software. A version of IcedTea based on OpenJDK was packaged with Fedora 8 later that year.

The board oversees the OpenJDK community and upholds its bylaws, but has no direct authority over technical or release decisions. Along with Red Hat's Haley, the list of current board members includes: chairman Georges Saab from Oracle, vice chair John Duimovich from IBM, OpenJDK lead Mark Reinhold from Oracle, at-large member Doug Lea from SUNY Oswego. The board also includes two "observers:" Ed Lynch from IBM, and Mike Milinkovich, executive director of the Eclipse Foundation.

IDC analyst Al Hilwa said he believes Red Hat's continued support and investment in Java -- especially given the company's success as an open source enterprise technology provider - give credibility to the company's "vision for the future of OpenJDK and goal of driving innovation in Java."

Haley blogs fairly frequently, and his posts are worth reading. His latest includes some details on the latest release of IcedTea. An earlier post does a great job of clarifying the security differences between running Java code from the command-line and running it via a browser plugin.

Posted by John K. Waters on 03/12/2013 at 10:53 AM1 comments

Ferris: A New Framework for Google Apps Development

It's an odd way of setting a high standard, naming your flagship product after one of the last century's most notorious cinematic slackers, but the decision to call their new web application development framework "Ferris" (for Ferris Bueller) made perfect sense to its creators at Cloud Sherpas.

 "We're making it easy for developers," explained Cloud Sherpas' Michael Cohn. "And Ferris Bueller was all about easy."

Written in Python, Ferris is an open-source, model-view-controller (MVC) framework specifically designed for developers using the Google App Engine. The MVC architecture makes for a flexible, Rails-like framework for rapid app development. It automatically provides CRUD (Create, Read, Update, Delete) cycle scaffolding of actions and views. It includes a theme engine built on the Python-based templating language Jinja2.And also it comes bundled with an Oauth2 toolkit and a Google API client.

 At its core, Ferris is an MVC with the App Engine in mind, says its creator, Cloud Sherpas programmer Jon Wayne Parrott. In terms of its capabilities, it falls somewhere between microframeworks like Flask or Bottle and a larger, more complex Web app frameworks like Django or Pyramid, he said.

 "It leverages everything that's available by default in App Engine to make it easy to build applications rapidly," Parrott told ADTmag. "You don't have to fight with it at all to access everything App Engine gives you."

Google's App Engine is a suite of the tools and services for building and scaling Web apps on the company's infrastructure. Applications developed using the App Engine Software Development Kit (SDK) can be uploaded and hosted by Google, and those apps can then utilize Google's bandwidth and computing power. Google claims that it's one of the fastest-growing cloud messaging and collaboration platforms, with more than 50 million users and 5 million business customers. 

 The Atlanta-based Cloud Sherpas is a cloud services brokerage, which means the company serves as an intermediary between cloud vendors and buyers. Think next-gen SI or VAR for the cloud. Among other things, the company serves the Google Apps ecosystem, and it claims to be the largest Google Apps systems integrator in the world. The company has been named Google Enterprise Global Partner of the Year for Apps Implementation two years in a row.

 With all the frameworks on the market these days, it's hard not to wonder why we need another one, but Parrott insists that what developers are getting with Ferris is unique. "This is a highly focused framework for the Google App Engine," he said. "We think that's enough of a differentiator."

 Why build the framework in Python?

 "We just find it a lot easier to develop in Python than Java or (Google's) Go at the moment," Parrot said. "When it comes to pure Web development, it's hard to beat Python when it comes to pure speed and ease of use."

 Cloud Sherpas unveiled the Ferris framework at last week's Strata conference. It is available now for free under the Apache v2 license.

BTW: Parrott stars in a YouTube sendup of the 1986 movie Ferris Bueller's Day Off, the framework's namesake. Fair warning: It includes the shower scene.

Posted by John K. Waters on 03/06/2013 at 10:53 AM0 comments

CISO Panel: Speaking Klingon to Captain Kirk

This year's RSA Conference was chock full of great content. One of my favorite sessions was the chief information security officer (CISO) panel, hosted by Cigital Inc. CTO and build-security-in guru Gary McGraw. Instead of a whip, McGraw wielded a Star Wars lightsaber (a vendor was handing them out on the exhibit floor) to keep four top security execs moving through a series of "driving" questions.

In answering a question about measuring risk, Gary Warzala, CISO at Visa, argued that, although it was certainly important to measure an organization's vulnerabilities and level of compliance, it was just as important to make sure that risk is owned throughout the enterprise.

"When I think about the technology organization, we hold the majority of operational risks," he said. "We need a process by which we're managing that risk on a daily basis, and then we need to be able articulate that ... But you can't just have the conversation around risk when you're talking to the board; you have to have it across the enterprise."

Google views security as an existential issue, said Eric Grosse, VP of the company's Security Engineering group. It's evaluated based on observed incidents. In fact, the company authorizes internal groups -- on a short-term basis -- to try to break in.

"We have a referee standing by, because they're actually working on the live systems," Grosse said. One side effect of this process is that it makes other employees more alert to potential security issues, he added.

For an answer to the question, "How should the security function interact with executives?" McGraw turned to Howard Schmidt, who served the country's chief executive. The former cybersecurity coordinator for the Obama administration said that the interactions between a CISO and his boss need to be customized, or they can have unexpected consequences.

"One minute you're doing a nice briefing for executives, and the next thing you know, they're subscribing to some list and every virus that comes out has them on the phone saying, 'Is this going to affect us?'" he said. He hastened to add that that never happened with Mr. Obama.

"What you really have to do is to sit down and involve all the business units, preferably in the same room," Schmidt said. "It's almost like creating a disaster recovery plan or business continuity plan, where, if you send out an e-mail asking about priorities, and they're all No. 1. But if you get them all in the same room, you get a better idea of when you need to escalate."

Jason Witty, CISO at U.S. Bank, said that information security execs need to do a better job of speaking with management in business terms.

"We need to talk about things like protecting and enhancing revenue," he said. "We need to change our vernacular ... We don't want to be speaking Klingon to Captain Kirk."

McGraw also asked the panel about which tools they found the most useful in their work, which drew a little groan from Witty.

"I saw a list of information security vendors the other day," he said. "When I saw it, I rolled my eyes so far back in my head I saw behind me … The bottom line for me is that this is a people-and-processes issue, not a technology issue."

McGraw also wondered about how the gathered execs retained good security people. Beyond having "the best recruiter in the business, bar none," not to mention Visa's strong brand, it's the kind of field that attracts people who love the work, Warzala said.

"People in the information security field are what I call digital first responders," he said. "They're the kind of people who run toward a fire while everyone else is running away ... They're not doing the job to make lots of money. They're doing it because they're passionate about it."

Posted by John K. Waters on 03/05/2013 at 10:53 AM0 comments

RSA Preview: HP Security Mavens on the Cybercrime Marketplace

The annual crypto-uber-geek, cyber-security trade show, better known as the RSA Conference, gets underway next week in San Francisco. I love this event. The content is broad and deep and sometimes downright scary. Even registering for the thing can be unsettling: never have I had to work so hard to create a password. And you need a personal access code to get on the wireless network at the show. So cool.

I got a nice warm up for the event earlier this month when I attended a roundtable discussion among HP security mavens. The company is planning to make several major announcements around security at the end of this month, and it'll soon be releasing its "2012 Cyber Security Risk Report." The roundtable included execs from the various groups HP assembled last year to form its Security Intelligence and Risk Management platform. The discussion focused on trends in cybercrime, the evolving marketplace for information theft and the best enterprise defense strategies.

Art Gilliland, SVP of HP's Software Enterprise Security Products group (and former Symantec exec), kicked off the conversation by suggesting that the press, and even some security professionals, spend too much time talking about individual perpetrators.

"Focusing on specific actors is a bit of a red herring," he said. "It misses the fact that there's just so much money to be made from the sale of stolen information that a real marketplace has grown up around cybercrime."

That's the bad news; the good news is markets exhibit recognizable behaviors than can be exploited.

"Markets do very specific things," Gilliland pointed out. "They organize participants, for example, and they create specialization around a process. If companies are going to become more effective at responding to security threats, they're going to need to think about how they disrupt the marketplace of the adversary."

HP uses something called a "kill chain," a traditional process chain originally created by Lockheed Martin, to describe the five steps of a security breach. The kill chain steps include: 1) Research (the bad guys create profiles of their targets); 2) Infiltration (they break in); 3) Discovery (they map the assets and find the good stuff); 4) Capture (they take control of the assets or sensitive information); 5) Exfiltration (they steal or destroy it).

"I believe that the reason we're seeing such an increase in breaches and threats is that we, as an industry, are not building the capabilities necessary to disrupt this process," Gilliland said.

Instead, a great deal of emphasis is placed on the technology infrastructure for blocking the adversaries -- anti-virus software, firewalls, etc. But, as Gilliland put it, "this marketplace innovates around us," and a break in is all but inevitable. "If you believe that that's true -- and I think most security experts do -- then we had better get much better at catching them inside before they've stolen the data," he said.

"It's critical that organizations get to a point where they can respond very quickly to each of those steps," said Scott Lambert, director of HP's DVlabs. "That's how we change the game."

Digital Vaccine Labs was the research organization within security vendor TippingPoint, which HP acquired in 2010 when it bought 3Com. HP describes DVlabs as "the heart" of the company's IT security research and intelligence.

Lambert allowed that firewalls and intrusion detection-and-prevention systems provided protection from what attackers were leveraging when those technologies where created, and they're still effective at blocking certain classes of attacks. But today the focus of the attackers is shifting away from perimeter defenses and toward the individual. Vulnerabilities in social networks, for example, are attracting a new generation of cybercriminals.

Lambert also added to my growing security vocabulary list with "OODA Loop:" observe, orient, decide, and act. It's a military term applied to combat operations; whoever gets through the loop faster is likely to be the winner.

"At each of the stages in the kill chain, there is a set of assessments that must be made and actions that must be taken," he said. "The attacker is going to keep coming back in; shut down one door, and they'll find another one. So we need to be quicker at identifying that they're inside, telling them to go away, shutting those doors, and getting on right on top of them when they come back."

Jacob West, CTO of Fortify Products within HP's Enterprise Security group, weighed in on the subject of security in the application layer. Although network and end-point security still get the lion's share of a typical organization's security budget, he said, app security is finally getting the attention it deserves.

"Ten years ago there wasn't a field called 'software security,' West said. "Security was still pixy dust that you layered on top of your software after you built it. We've come a long way since then, and now we're seeing substantial investment in securing the application layer."

The reason for the increased investment, West said, is the growing popularity of the app layer as a target. But he added that it's a mistake to expect top notch developers to also become security experts.

"You just can't be both," he said. "So what we in the industry need to do is to enable those developers—and everyone else who contributes to the development lifecycle -- to understand that they're making security-relevant decisions and give them the processes and technologies to make those decisions in the right way when they're faced with them."

In 2007 West co-authored Secure Programming with Static Analysis Addison-Wesley Professional, July 9, 2007) with Brian Chess, founder of security vendor Fortify Software, which HP acquired in 2010. Fortify was known for its static application security analysis technology, and West and Chess's book is something of a classic in that field.

"I do think a lot of development organizations recognize that security is now a core requirement of the software they build," West added. "They can't make every developer a security expert, but they know that software those developers eventually produce needs to be secure. And do see an increasing number of firms with large development investments tying developer performance and compensation to security metrics."

And yet many organizations have yet to implement even basic perimeter security, said Joni Kahn, SVP of Services and Support in HP's ArcSight group, let alone addressing more sophisticated threats. Kahn runs professional services at HP and is actively involved in breach remediation and response. (HP acquired security information and event management provider ArcSight in 2010.)

"We spend a lot of time talking about the business processes that allow you to leverage the technology in an effective way," she said.

To my dumb question of the day, "Why haven't we fixed all this yet?" Kahn replied, "Well, that's a little bit like asking, Why haven't we stopped all burglaries? There's money in this, and crime pays."

BTW: Gilliland will be talking about how market forces are organizing our adversaries at the RSA Conference. His talk is entitled: "Criminal Education: Lessons from the Criminals and their Methods."

Posted by John K. Waters on 02/22/2013 at 10:53 AM0 comments

Java: The Most Popular Programming Language

Forget the headline-grabbing revelations of new security flaws, the dogged dissing from Apple and the dire warnings from the U.S. Department of Homeland Security: Java is the world's most popular programming language. That's according to TIOBE Software's latest Programming Community Index.

TIOBE is a Netherlands-based provider of software quality assessment services based on the ISO/IEC 9126 standard. The company ranks the popularity of software languages based on "the number of skilled engineers world-wide, courses, and third-party vendors." The purpose of the Index, the company says, is to provide coders with a kind of contextual yardstick with which to measure their own language skills against current demand.

Ten months after being spanked by C, Java has risen to the top largely because of the popularity of Android mobile devices, the indexers concluded. Java accounted for 18.387 of market share in February, as measured by TIOBE, while C held onto a solid 17.080 percent, followed by Objective-C with 9.803 percent and C++ with 8.758 percent.

The Index also indicated that the popularity of Python is on the rise (4.949 percent, up 1.07 percent over the last half year), with PHP holding steady at 5.074 percent.

Altogether, TIOBE ranks 50 programming languages, though it follows many more. The company emphasizes that the Index measures only the popularity of a language, not its actual quality (no "bests") nor the number of lines of code written in it.

Java also made it to the top of a rival language popularity index: the latest PYPL (PopularitY of Programming Language) Index. This popularity indicator is published by pyDatalog, a provider of a pure-Python implementation of a declarative subset of Prolog, called Datalog. Java topped the PYPL Index in February with a 29 percent market share. PHP came in second with 14.6 percent. C# followed with 10.5 percent, Python with 10.3 percent and C with 9.6 percent (down .9 percent).

The goals of the PYPL indexers are the same as TIOBE's: "If you believe in collective wisdom," the Web site states, "the... index can help you decide which language to study, or which one to use in a new software project."

TIOBE, which has been around a while, tracks the popularity of languages by counting related Web pages; pyDatalog, the new kid on the popularity indexing block, counts how often language tutorials are searched on Google. One tracks availability; one tracks demand. I'm not sure which is the better methodology, but it's useful to be reminded that Java isn't merely a popular target.


Posted by John K. Waters on 02/13/2013 at 10:53 AM1 comments

Upcoming Events


Sign up for our newsletter.

I agree to this site's Privacy Policy.